Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 482/582: Computer Security

Similar presentations


Presentation on theme: "CSC 482/582: Computer Security"— Presentation transcript:

1 CSC 482/582: Computer Security
Applying Cryptography CSC 482/582: Computer Security

2 Topics Key Generation Randomness and Information Theory PRNGs
Entropy Gathering Key Storage Cryptographic APIs CSC 482/582: Computer Security

3 Key Generation Goal: generate difficult to guess keys
Given set of K potential keys, choose one randomly. Equivalent to selecting a random number between 0 and K–1 inclusive. Difficulty: generating random numbers Computer generated numbers are pseudo-random, that is, generated by an algorithm. “Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.” – John vonNeumann CSC 482/582: Computer Security

4 How can be measure randomness?
For a fair coin flip, our uncertainty is 2 results. It could be either heads or tails. The uncertainty of 2 flips would be 2*2 = 4. Logarithmic measure of uncertainty. We feel uncertainties should add, not multiply. Measures uncertainties in bits, instead of raw #s. Uncertainty is log2(M), where M is # results. U = log2 M CSC 482/582: Computer Security

5 Information The amount of information in a message is the minimal number of bits needed to encode all possible meanings. Example: day of the week (7 possibilities) Encode in 3 bits 000 Sunday to 110 Saturday, with 111 unused ASCII strings “Sunday” through “Saturday” use more bits, but don’t encode more information. CSC 482/582: Computer Security

6 Information The amount of information in a message is the minimal number of bits needed to encode all possible meanings. Example: day of the week Encode in <3 bits 000 Sunday to 110 Saturday, with 111 unused ASCII strings “Sunday” through “Saturday” use more bits, but don’t encode more information. In general, if N possible items, log2 N bits needed. I = log2 N which is the same formula as for uncertainty, so U = I. CSC 482/582: Computer Security

7 Information and Probability
If the probability of each of the N messages being sent is equal, then p = 1/N. I = log2 1/p What does 1/p really mean? Let's see: Message: "Coin comes up heads or tails"  Probability p=1  Information I = log2 1/1 = log2 1 = 0 Message: "Coin comes up heads"  Probability p=0.5  Information I = log2 1/0.5 = log2 2 = 1 CSC 482/582: Computer Security

8 What if probabilities aren’t equal?
Given a message of N symbols, such that each symbol occurs Ni times i=1..M Ni = N Our average uncertainty for the string is i=1..M Ni (-log2(Pi)) / i=1..M Ni which can be rewritten as -i=1..M Ni/N log2(Pi) CSC 482/582: Computer Security

9 Information I = -i=1..M Pi log2(Pi)
Reduces to original formula if all symbols equiprobable, i.e., Pi = 1/M: I = -i=1..M 1/M log2(1/M) = 1/M log2(M) i=1..M 1 = log2(M) CSC 482/582: Computer Security

10 Information Content of English
For random English letters, 4.7 bits/letter For large samples of English text, 1.3 bits/letter For bzipped English text, 7.95+ bits/letter CSC 482/582: Computer Security

11 Testing for Randomness
A byte stream is random if I is approximately 8 bits/byte Compression is a good randomizing function. Cryptography is a good randomizing function. Statistical tests for randomness Zeros occur about as often as ones. Pairs of zeros occur about half as often as single zeros and as often as pairs of ones. CSC 482/582: Computer Security

12 PRNGs Determinism and Randomness Seeding the PRNG Linear Congruential
CSPNRGs Blum-Blum-Shub Tiny Attacks on PNRGs CSC 482/582: Computer Security

13 Determinism Computers are deterministic
Can’t produce true random numbers. Pseudo-random numbers appear to be random to certain statistical tests. Tests can be derived from compression. If you can compress sequence, it’s not random. Software generated pseudo-random sequences are periodic and predictable. CSC 482/582: Computer Security

14 Seeds Input used to generate initial PR number.
Should be computationally infeasible to predict Generate seed from random, not PR, data. Large seed: 32 bits too small; only 232 combinations. Sequence is still periodic, but starts from different point for each different seed. Identical sequences produced for identical seeds. Period needs to be large for security. CSC 482/582: Computer Security

15 Linear Congruential Generator
nk = (ank–1 + b) mod m m Modulus (a large prime integer), maximum period a Multiplier (integer from 2..m-1) b Increment n0 Sequence initializer (seed) CSC 482/582: Computer Security

16 LCG Example in Python #!/usr/bin/env python import sys Modulus
def lcg(x): return a*x % 13 i = 0; li=[] a, x = map(int, sys.argv[1:3]) while(i < 10): x = lcg(x) li.append(str(x)) i += 1 print ", ".join(li) Modulus Multiplier Seed >./prng.py 5 2 11, 4, 8, 2, 11, 4, 8, 2, 11, 4 >./prng.py 6 2 0, 1, 7, 4, 12, 8, 10, 9, 3, 6 CSC 482/582: Computer Security

17 Linear Congruential Generator
Choice of a critical Many choices of a do not produce a full period. Sequence is permutation of integers 1..m-1 Ex: 2, 6, 7, 11 for m=13 For production LCGs, m=232-1 common a = is well studied full period multiplier LCGs are statistically random but predictable, giving away LCG state with each number. LCGs are not cryptographically useful. CSC 482/582: Computer Security

18 Secure PRNGs Cryptographically Secure PRNGs:
Statistically appear random. Difficult to predict next member of sequence from previous members. Difficult to extract internal state of PRNG from observing output. Similar to stream ciphers. May be re-seeded at runtime, unlike PRNGs. CSC 482/582: Computer Security

19 Blum Blum Shub xn+1 = xn2 mod M Blum Number M Seed
Product of two large primes, p and q p mod 4 = 3, q mod 4 = 3 Seed Choose random integer x, relatively prime to M. x0 = x2 mod M CSC 482/582: Computer Security

20 Blum Blum Shub Random Output: Provably secure Slow LSB of xn+1
Can safely use log2M bits. Provably secure Distinguishing output bits from random bits is as difficult as factoring M for large M. Slow Requires arbitrary precision software math libraries. CSC 482/582: Computer Security

21 Strong Mixing Functions
Strong mixing function: function of 2 or more inputs with each bit of output depending on some nonlinear function of all input bits. Examples: AES, DES, SHA-1, SHA-2 Use on UNIX-based systems: (date; ps gaux) | md5 where “ps gaux” lists all information about all processes on system. CSC 482/582: Computer Security

22 Attacks on PNRGs Direct Cryptanalytic Input-Based
Distinguish between PRNG output and random output with better than 50% accuracy. Input-Based Use knowledge of PRNG input to predict output. Insert input into PRNG to control output. State Compromise Extension Extend previously successful attack that has recovered internal state to recover either or both. past unknown PRNG outputs future PRNG outputs after additional inputs given to PRNG CSC 482/582: Computer Security

23 ASF On-line Gambling Re-seeded PRNG before each shuffle Shuffling
always start with ordered deck. Shuffling Fair: 2226 combinations 32-bit seed: 232 combinations ms seed: 86,400,000 combinations synchronize time: 200,000 combinations Predict deck based on 5 known cards. CSC 482/582: Computer Security

24 ASF PRNG Flaws PRNG algorithm used small seed (32 bits.)
Non-cryptographic PRNG used. Seed generated by poor source of randomness. CSC 482/582: Computer Security

25 Entropy Collection Hardware Solutions Software Solutions
Poor Entropy Collection Entropy Estimation CSC 482/582: Computer Security

26 Hardware Sources Radioactive Decay Thermal or Electrical Noise LavaRnd
Hotbits: 256 bits/s Thermal or Electrical Noise Comscire QNG Model J1000KU, 1 Mbit/s Via Padlock RNG on Via x86 CPUs kbits/s LavaRnd SGI used LavaLite; LavaRnd uses lenscapped digicam up to 200 kbits/s CSC 482/582: Computer Security

27 Software Sources Less Secure, More Convenient
Software systems can be sufficiently complex to be almost impossible to predict. User Input: Push, don’t Pull Record time stamp when keystroke or mouse event occurs. Don’t poll most recent user input every .1s Far fewer possible timestamps. CSC 482/582: Computer Security

28 Software Sources: /dev/random
Idea: use multiple random software sources. Store randomness in pool for user requests. Use hash functions (i.e., strong mixing functions) to distill data from multiple sources. /dev/random can use random sources such as CPU load disk seeks kernel interrupts keystrokes network packet arrival times /dev/audio sans microphone dd if=/dev/random of=randbits.bin bs=1 count=4096 dd if=/dev/urandom of=randbits.bin bs=1 count=4096 CSC 482/582: Computer Security

29 Software Sources: /dev/random
each bit is truly random. blocks unless enough random bits are available. /dev/urandom supplies requested number of bits immediately. reuses current state of pool—lower quality randomness. dd if=/dev/random of=randbits.bin bs=1 count=4096 dd if=/dev/urandom of=randbits.bin bs=1 count=4096 CSC 482/582: Computer Security

30 Poor Entropy: Netscape 1.1
SSL encryption generates random 40- or 128-bit session key Netscape 1.1 seeded PRNG with time of day PID and PPID All visible to attacker on same machine. Remote attack broke keys in 30 seconds guessed limited randomness in PID/PPID. packet sniffing can determine time of day. CSC 482/582: Computer Security

31 Random Number APIs Windows Java rand() – insecure PRNG, uses LCG
CryptGenRandom() – CSRNG CryptGenKey() – to securely generate keys Java java.util.Random – insecure PRNG java.security.SecureRandom – CSRNG Relies on OS, so SecureRandom can fall back to insecure Random if OS does not provide /dev/random or similar CSC 482/582: Computer Security

32 Key Storage Source Code File on Disk Registry
Can use strings to extract from binary. File on Disk Attacker can search disk for files with high entropy, which are likely to contain keys. Encryption of file adds another layer of difficulty, but there must be a key someplace. Registry Attacker can access with regedit. External Device, e.g. smartcards, smartphones, etc. Attacker can obtain PINs or use power analysis attackers to extract keys from device. CSC 482/582: Computer Security

33 Key Points Keys generated must be truly random.
Test for randomness by measuring information. I = -i=1..M Pi log2(Pi) Secure PRNGs must have the following qualities: Statistically appear random. Difficult to predict next member of sequence from previous members. Difficult to extract internal state of PRNG from observing output. Algorithmic PRNG techniques: Linear congruential generators: non-crypto. Blum Blum Shub cryptographic PRNG. Computer RNGs: Hardware RNGs: thermal noise, decays. Software RNGs: disk seeks, interrupts. CSC 482/582: Computer Security

34 References Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. D. Eastlake, “Randomness Recommendations for Security,” RFC 1750, Ian Goldberg and David Wagner, “Randomness and the Netscape Browser,” Doctor Dobbs’ Journal, Michael Howard and David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press, 2003. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996. S. K. Park, K. W. Miller, “Random number generators: good ones are hard to find,”  Communications of the ACM,  Volume 31 Issue 10 , October 1988. Tom Schneider, “Information Theory Primer,” Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996. John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002. Joss Visser, “Kernel based random number generation in HP-UX 11.00,” David Wheeler, Secure Programming for UNIX and Linux HOWTO, CSC 482/582: Computer Security


Download ppt "CSC 482/582: Computer Security"

Similar presentations


Ads by Google